Exploring Social Engineering Attacks and Prevention: MGM Hack

Yooooooo…Hey there security minded people! Today we were scheduled for a blog that covered the importance of proper system patching…well, we are moving that to next month! 😊 Drawing upon current events of the now globally famous MGM Hack of 2023, I think it's better to focus on Social Engineering in this blog as its super timely! While this won't be the only write up on Social Engineering, this blog post will introduce us to something that many enterprises glaringly overlook…IT controls are only one part of the security equation…we must also discuss process. Technology can fail due to poor business processes, and this MGM social engineering hack is a prime example for those who forget about the human component!  

 

MGM’s parent company thought they did everything correct in buying the correct software (Okta in this case, which is the 800lb gorilla in the Identity management space)…but they completely ignored the need to use the tool properly. Just like any tool, proper use is paramount! 

 

In this internet dominated era, the threat of social engineering attacks looms larger than ever before. These deceptive tactics exploit human psychology to gain unauthorized access to sensitive information. In this post, we will delve into the world of social engineering, examining its various forms, understanding the psychology behind it, and most importantly, exploring strategies for prevention. 

 

The MGM Social Engineering Hack overview 

This hack is currently being priced as 80-million-dollar loss for MGM…for a social engineering attack that was completed in 10 minutes…that’s a ton of pennies per second lost! In this case, well over 133 thousand dollars per second! Yes, I did the math! 😊

 

So, what happened? Tech support was tricked into resetting the MFA for a privileged user account. In more English terms…Someone impersonated a tech support staff with access and simply called helpdesk to reset the MFA and allow control of the account. From the privileged account, they managed to gain hypervisor level access leading to encrypting the landscape…and the rest is history. 

 

How could this have been prevented? 

Process. Process. Prozess!  

 

They had one of the correct tools, but they didn’t have the correct process.  Every single ProzessTec process takes into account the human factor, by far the most unpredictable of links in the security chain.  Not only should all privileged accounts report multiple recipients when passwords have been changed…but before any tech resets MFA or works on a privileged users account…they should verify directly with the user. 

 

My tact? I simply call the user. I call everyone, CEO’s on down. Everyone gets a call from me to make sure that the password reset, or the MFA reset…or let's face it, any modification that essentially “resets” the security and allows a privileged user to re-establish the keys to the kingdom all need some form of verification. A million ways to do this…call a known number, don’t trust the number that calls you. Make the user come into the office to verify. Do a video call…There are literally a thousand different ways to “verify the human”…use one of them!  

I can't tell you how many times I made a middle of the day call to a CEO just to say hi and to make sure it was really the CEO that made the request to reset a password.  99.999999999999999999999% of the time it will be the CEO’s legitimate request…but catching that 0.00000000000000001% of the time will make you a security Rockstar! 

 

Section 1: Understanding Social Engineering 

 

1.1 Types of Social Engineering Attacks

 

Social engineering encompasses a range of deceptive techniques: 

• **Phishing**: Sending fraudulent emails to trick recipients into revealing personal information. 
• **Vishing**: Using the phone to essentially Phish! I don’t like the term either…I personally classify it all as “Phishing”…For me “Phishing” is the act, and not the method. 
• **Pretexting**: Creating a fabricated scenario to extract sensitive data. 
• **Baiting**: Offering tempting rewards or downloads to lure victims into compromising their security. 
• **Tailgating**: Gaining physical access to restricted areas by following authorized personnel. 
• **Spear Phishing**: Customizing phishing attacks to specific individuals or organizations. 
• **Pillow talk**: I did not research if personal communication has a special “techy” term, like  Pillowishing, which I would hate as much as Vishing…but let's face it, if you have important protectable data, you shouldn’t be talking about it to anyone not involved in the project/enterprise…even if its face to face! 

 There are many more variants…but those give you an idea…essentially if you use a method to communicate, that method can be used to extract data from you.  

 

1.2 The Psychology Behind Social Engineering

 

Social engineers exploit innate human traits like trust, curiosity, and fear: 

• They often impersonate trusted entities or colleagues. They tend to pick people you will answer without question. Bosses and IT are easy to research as Bosses and IT teams tend to have their personal data publicly available. 
• Emotional manipulation and urgency are common tactics. Your boss urgently asking you to wire money, or a coworker frantically trying to log in to be able to create a report for the CEO will make you worry about the impending milestone and not about what you are doing. 
• Attackers leverage publicly available information for believability. Do a web search for your name and see how much data a bad actor can find out about you…it's scary! 

 

Section 2: Real-Life Examples

 

2.1 High-Profile Social Engineering Incidents

 

Notable cases include: 

• The 2016 Democratic and Republican National Committee (DNC/RNC) email hack, involving spear phishing. 
• The infamous Twitter Bitcoin scam, where attackers compromised high-profile accounts. 
• The Target breach, resulting from a third-party vendor's compromised credentials. 
• The MGM Social engineering hack of 2023 

 

2.2 Common Targets and Vulnerabilities

 

Social engineering attacks can target anyone, but common targets include employees, executives, and individuals with access to sensitive data. Vulnerabilities often exploited include: 

• Lack of security awareness and training. 
• Weak or reused passwords. Our neat-o password blog will cover some of the best ways to handle your password…I bet you can't wait till that blog!
• Absence of multi-factor authentication. Seriously. Do it! I mean it! 😊  
• Poor Process that allows one to bypass any technical controls. 

 

Section 3: Prevention Strategies

 

3.1 User Education and Training

 

Raising awareness is key: 

• Conduct regular security training for employees. ProzessTec has a monthly security newsletter that you can purchase to not only give your enterprise constant security love but will also satisfy many cyber security insurance requirements for constant education. 
• Teach them to recognize suspicious emails, phone calls, and in-person interactions. This one is simple…I have trained more than a few end users to identify emails and they have become amazing at identifying rogue emails. 
• Promote a culture of skepticism without undermining trust. Thank everyone who asks questions about security…make sure the user asking the question is heard and made to not feel ignorant…you want to foster the security reporting, not stifle it! 
• Create processes that protect against the human factor, i.e.…build in old school verification techniques to your modern day landscape. 

 

3.2 Strong Authentication and Access Controls

 

• Enforce the use of multi-factor authentication (MFA) to add an extra layer of security. Also, don’t use SMS…please use some App like Authy, or Microsoft authenticator and leverage its controls. 
• Limit access to sensitive information based on roles and responsibilities. First thing I do is remove the CEO’s admin access for most small companies…this is my main rule and I will literally walk from the project if this step Is not satisfied. IT Directors don’t even need full global admin…most managers don’t…in fact there should only be 2-3 Global admins and 1 break glass account in the hands of the business. That's it…everyone else should get the minimum level of access to do their job.
• Monitor and audit access logs for unusual behavior. This is a big one.  All Prozesstec's processes are written to protect the Enterprises from privileged users.  Having a simple report that shows all the admins what was changed and what files were accessed is a pretty decent failsafe.  So add reporting on all system changes that might be a sign of bad things happening. 

 

3.3 Security Policies and Procedures

 

• Develop and enforce clear security policies and procedures. 
• Create an incident response plan for swift action in case of a breach. 
• Regularly update policies to adapt to evolving threats. 
• Verify changes to privileged accounts. 

 

Section 4: Technological Solutions

 

4.1 Email Filtering and Anti-Phishing Tools

 

• Implement email filtering solutions to detect and block phishing attempts. 
• Utilize anti-phishing tools that analyze links and attachments for malicious content. 

 

4.2 AI and Machine Learning in Social Engineering Prevention 

 

• Leverage AI and machine learning algorithms to detect unusual behavior patterns. 
• These technologies can identify suspicious login attempts and flag potential threats. That’s the promise anyway…this being said AI can still be fooled…so don’t that simply buying an AI tool will be your solution. AI tools are just one weapon in your arsenal. 

 

Conclusion

 

Software is fun, but a broken process can break your software.  You might think you are protected, but you will be wrong in the worst way.  Don’t catch yourself dusting off the resume over a simple little oversight like process.  Work with your IT team to come up with processes that work with your software and close out the gaps that the software alone cannot fill.  Protect against the human element by adding some old fashioned human recognition.